H3C AC进行Portal认证之欧阳育创编.docx
- 文档编号:4635848
- 上传时间:2022-12-07
- 格式:DOCX
- 页数:9
- 大小:18.62KB
H3C AC进行Portal认证之欧阳育创编.docx
《H3C AC进行Portal认证之欧阳育创编.docx》由会员分享,可在线阅读,更多相关《H3C AC进行Portal认证之欧阳育创编.docx(9页珍藏版)》请在冰豆网上搜索。
H3CAC进行Portal认证之欧阳育创编
一、 组网需求:
时间:
2021.02.04
创作:
欧阳育
在BYOD组网方案下,我们主要通过iNode客户端、HTTP网页、终端Mac地址以及DHCP的Option属性这四种方式获取终端的操作系统和厂商信息,实现终端识别以便完成相应的权限策略控制。
其中DHCP的Option属性方式可普遍用户各种场景。
由于部署DHCP服务器并安装Agent插件的方式比较繁琐,这里我们以普通Portal认证为例介绍一种通过无线控制器的DHCP-snooping功能获取记录终端的option55(终端操作系统)和option60(终端厂商)信息并通过Radius属性上报给iMC服务器的典型配置。
WX系列AC、FitAP、交换机、便携机(安装有无线网卡)、iMC服务器及其他智能终端。
二、 组网图:
三、 配置步骤:
1、 AC版本要求
WX系列AC从B109D012合入该特性,因此只有这个版本号及其以后的版本支持DHCP-snooping功能获取记录终端的option55(终端操作系统)和option60(终端厂商)信息并通过Radius属性上报给iMC服务器。
WX系列AC可通过下面的命令查看内部版本号:
H3CComwarePlatformSoftware
ComwareSoftware,Version5.20,Release2607P18
ComwarePlatformSoftwareVersionCOMWAREV500R002B109D022
H3CWX5540ESoftwareVersionV200R006B09D022
Copyright(c)2004-2014HangzhouH3CTech.Co.,Ltd.Allrightsreserved.
CompiledFeb25201411:
08:
07,RELEASESOFTWARE
H3CWX5540Euptimeis1week,4days,0hour,49minutes
2、 AC侧配置及说明
#
version5.20,Release3120P17
#
sysnameWX3024-AC
#
domaindefaultenablesystem
#
telnetserverenable
#
port-securityenable
#
//配置portalserver、ip、key、url以及server-type,注意这里server-type必须配置为imc
portalserverimcip172.16.0.22keycipher$c$3$6uB5v4kaCg1aSOJkOqX+==urlhttp:
//172.16.0.22:
8080/portalserver-typeimc
//配置portalfree-rule放通AC内联口
portalfree-rule0sourceinterfaceGigabitEthernet1/0/1destinationany
#
oapmanagement-ip192.168.0.101slot0
#
password-recoveryenable
#
vlan1
#
vlan24
#
//配置radius策略,注意server-type必须选择extended模式,注意user-name-format及nas-ip的配置必须与iMC接入策略和接入服务里配置保持一致。
radiusschemeimc
server-typeextended
primaryauthentication172.16.0.22
primaryaccounting172.16.0.22
keyauthenticationcipher$c$3$Myv0nhgPjC4vsMforZW3iCiW5KkP7Q==
keyaccountingcipher$c$3$dCEXJGp71WPyrPK4hsPJd6sdTYf01A==
user-name-formatwithout-domain
nas-ip172.16.0.202
#
//配置domain
domainimc
authenticationportalradius-schemeimc
authorizationportalradius-schemeimc
accountingportalradius-schemeimc
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
domainsystem
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
#
//配置AP注册dhcppool
dhcpserverip-pool1
network192.168.0.0mask255.255.255.0
#
//配置终端业务dhcppool
dhcpserverip-pooloption55
network192.168.24.0mask255.255.255.0
gateway-list192.168.24.254
dns-list8.8.8.8
#
user-groupsystem
group-attributeallow-guest
#
local-useradmin
passwordcipher$c$3$iMGlwEx7o4TNbMqd7OaOAwB5SWSzOrKE
authorization-attributelevel3
service-typetelnet
#
wlanrrm
dot11amandatory-rate61224
dot11asupported-rate918364854
dot11bmandatory-rate12
dot11bsupported-rate5.511
dot11gmandatory-rate125.511
dot11gsupported-rate69121824364854
#
//配置无线服务模板
wlanservice-template10clear
ssidoption55
bindWLAN-ESS10
service-templateenable
#
wlanap-groupdefault_group
apap1
apap2
#
interfaceNULL0
#
//与iMC互联ip及vlan接口
interfaceVlan-interface1
ipaddress172.16.0.202255.255.255.0
#
//终端业务互联ip及vlan接口,接口下开启portal,注意portaldomain及portalnas-ip配置需要与iMC服务器portal设备保持一致
interfaceVlan-interface24
ipaddress192.168.24.1255.255.255.0
portalserverimcmethoddirect
portaldomainimc
portalnas-ip172.16.0.202
#
interfaceGigabitEthernet1/0/1
portlink-typetrunk
porttrunkpermitvlanall
#
//配置wlan-ess接口
interfaceWLAN-ESS10
portaccessvlan24
#
wlanapap2modelWA2610H-GNid2
serial-id219801A0FH9136Q00287
radio1
service-template10
radioenable
#
//开启dhcp-snooping,使能dhcp-snooping记录用户的option55和option60信息功能
dhcp-snooping
dhcp-snoopingbindingrecorduser-identity
#
//配置默认路由
iproute-static0.0.0.00.0.0.0192.168.24.254
#
snmp-agent
snmp-agentlocal-engineid800063A203000FE2873066
snmp-agentcommunityreadpublic
snmp-agentcommunitywriteprivate
snmp-agentsys-infoversionall
#
//使能dhcp
dhcpenable
#
user-interfacecon0
user-interfacevty04
authentication-modescheme
userprivilegelevel3
#
return
3、 iMC侧配置请参考KMS-21434《 WX系列AC与iMC配合实现无线Portal认证典型配置》,这里不再赘述。
4、 结果验证及抓包
1)AC上查看在线的客户端和portal在线用户信息:
TotalNumberofClients :
2
ClientInformation
SSID:
option55
-------------------------------------------------------------------------------------------------
MACAddress UserName APID/RID IPAddress VLAN
-------------------------------------------------------------------------------------------------
2477-0391-7720 -NA- 2/1 192.168.24.2 24
28e1-4cb5-8249 -NA- 2/1 192.168.24.3 24
-------------------------------------------------------------------------------------------------
Index:
12
State:
ONLINE
SubState:
NONE
ACL:
NONE
Work-mode:
stand-alone
MAC IP Vlan Interface
----------------------------------------------------------------------------------------------
2477-0391-7720 192.168.24.2 24 Vlan-interface24
Index:
13
State:
ONLINE
SubState:
NONE
ACL:
NONE
Work-mode:
stand-alone
MAC IP Vlan Interface
----------------------------------------------------------------------------------------------
28e1-4cb5-8249 192.168.24.3 24 Vlan-interface24
Total2user(s)matched,2listed.
2)iMC上通过终端设备管理查看终端的厂商、类型以及操作系统等信息:
3)查看AC的debugging信息,可以清楚看到Radius的code=[1]报文里携带了option55和option60的属性字段:
*Apr2616:
37:
06:
9362000WX3024-ACRDS/7/DEBUG:
Sendattributelist:
*Apr2616:
37:
06:
9462000WX3024-ACRDS/7/DEBUG:
[1 User-name ][8][c09467]
[60CHAP_Challenge ][18][6EFCA7E2624584E38EA53882A4A12C90]
[4 NAS-IP-Address ][6][172.16.0.202]
[32NAS-Identifier ][11][WX3024-AC]
[5 NAS-Port ][6][16818200]
[87NAS_Port_Id ][18][0100010000000024]
*Apr2616:
37:
06:
9862000WX3024-ACRDS/7/DEBUG:
[61NAS-Port-Type ][6][19]
[H3C-26Connect_ID ][6][21]
[6 Service-Type ][6][2]
[7 Framed-Protocol ][6][255]
[31Caller-ID ][19][36432D38382D31342D35392D38392D3843]
[30Called-station-Id ][28][74-25-8A-33-81-70:
option55]
*Apr2616:
37:
07:
0272000WX3024-ACRDS/7/DEBUG:
[44Acct-Session-Id ][16][10003261637160]
[8 Framed-Address ][6][192.168.24.4]
[H3C-255Product-ID ][12][H3CWX3024]
[H3C-60Ip-Host-Addr ][32][192.168.24.46c:
88:
14:
59:
89:
8c]
[H3C-208DHCP-Option55 ][14][010F03062C2E2F1F2179F92B]
[H3C-209DHCP-Option60 ][10][4D53465420352E30]
*Apr2616:
37:
07:
0772000WX3024-ACRDS/7/DEBUG:
[H3C-59NAS-Startup-Timestamp ][6][956750400]
*Apr2616:
37:
07:
0872000WX3024-ACRDS/7/DEBUG:
Event:
BegintoswitchRADIUSserverwhensending0packet.
*Apr2616:
37:
07:
1082000WX3024-ACRDS/7/DEBUG:
TheRDTWLtimerhasresumeed.
%Apr2616:
37:
07:
1182000WX3024-ACRDS/6/RDS_SUCC:
-IfName=Vlan-interface24-VlanId=24-MACAddr=6C:
88:
14:
59:
89:
8C-IPAddr=192.168.24.4-IPv6Addr=N/A-UserName=c09467@imc;Usergotonlinesuccessfully.
%Apr2616:
37:
07:
1382000WX3024-ACPORTAL/5/PORTAL_USER_LOGON_SUCCESS:
-UserName=c09467-IPAddr=192.168.24.4-IfName=Vlan-interface24-VlanID=24-MACAddr=6c88-1459-898c-APMAC=7425-8A33-8170-SSID=option55-NasId=-NasPortId=;Usergotonlinesuccessfully.
*Apr2616:
37:
07:
1692000WX3024-ACRDS/7/DEBUG:
Mallocseed:
38in172.16.0.22forUserID:
21
*Apr2616:
37:
07:
1792000WX3024-ACRDS/7/DEBUG:
Event:
ModifyNAS-IPto172.16.0.202.
*Apr2616:
37:
07:
1892000WX3024-ACRDS/7/DEBUG:
Send:
IP=[172.16.0.22],UserIndex=[21],ID=[38],RetryTimes=[0],Code=[1],Length=[279]
4)通过抓包我们也可以看到这个属性字段:
四、 配置关键点:
1、portalserver的server-type必须选择imc,radiusscheme的server-type必须选择extended。
2、全局视图下开启dhcp-snooping和dhcp-snoopingbindingrecorduser-identity。
3、AC本身并不支持终端操作系统和厂商识别,只是把相关option55和option60信息传送给iMC完成终端识别。
时间:
2021.02.04
创作:
欧阳育
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- H3C AC进行Portal认证之欧阳育创编 AC 进行 Portal 认证 欧阳 创编